Installation

Back to customer support

Common error code/messages for Secure and Global Server Certificates

1. Java (9504 ERROR) DSA/RSA Algorithms
2. SGCINST.EXE appears to execute but SGC does not work?
3. Page Cannot be Displayed
4. ISS CAPI2 ERROR

1. Java (9504 ERROR) DSA/RSA Algorithms

We only except the RSA algorithms, which is why you are receiving the 9504 error. From this I can only suggest you produce a RSA algorithm key pair. Complete instructions for signing applets using RSA certificates can be found at http://java.sun.com/products/plugin/1.3/docs/rsa_signing.html. Generate the key pair with the following commands: keytool -genkey -keyalg RSA -keystore [keystore name] -alias [key name] keytool -certreq -keystore [keystore name] -file mycsr.csr.

Note: Please be aware that you do not need to specify the signature algorithm - this is defaulted on the basis of the algorithm selected by "-keyalg RSA". You will need to open up the file "mycsr.csr" and copy and paste it into our online form at the appropriate time during the request process. This is the most basic way to generate a key pair. If you prefer, you may use a number of switches to customize the procedure to your needs. These switches are well documented and explained in the Key and Certificate Management Tool online document at http://java.sun.com/products/jdk/1.2/docs/tooldocs/win32/keytool.html Command line options for other algorithm types can be found in the Key and Certificate Management Tool (http://java.sun.com/products/jdk/1.2/docs/tooldocs/win32/keytool.html) which documents the use of Keytool extensively.

2. SGCINST.EXE appears to execute but SGC does not work?

SGCINST.EXE Appears to Execute but SGC Does Not Work (Microsoft Knowledge Base: Q180018) The information in this article applies to: Microsoft Windows NT Server version 4.0 SP3 / Microsoft Internet Information Server versions 3.0 , 4.0
SYMPTOMS:
Sgcinst.exe appears to execute but SGC does not work.
RESOLUTION:
To resolve this problem, obtain the Server Gated Cryptography (SGC) update. For more information on how to obtain the updated version of Schannel.dll, see the following article in the Microsoft Knowledge Base: Q148427

3. Page Cannot be Displayed

If after installing your server certificate, you are unable to establish a secure session (HTTPS) and your browser is returning the error message "Page Cannot be Displayed" you should first check the following:

Ensure that the installation instructions used were correct for your web server. Check the server has been restarted after installing the certificate. If this is not done problems may be encountered in connecting to the SSL site. The connection must be made using the correct common name as it appears in your certificate. Some browsers will not be able to connect to a SSL site if an IP address or machine name is used. To resolve this either update the DNS or add a host file entry to the PC being used for testing. Server Bindings (IP and port settings) should be confirmed. Generally server configuration requires the internal IP address, and the SSL port of 443 to be set. This process will be different depending on the web server software you are running – you should consult your server documentation for exact procedures.

The firewall/proxy properties should also be checked. To achieve an SSL connection, Traffic must be enabled in both directions on port 443. If this has not been done, https connections will fail.

4. IIS CAP12 ERROR
Error: "CAPI2 = 80093005" when importing your certificate, or keyset files.
There are a number of reasons for the CAPI2 error (CAPI2 refers to the Microsoft cryptographic engine). Some of the more common, and more simple are outlined below. Using SP4 or SP5:
Your certificate file may not be in the correct format. Make sure your certificate is in a valid format.
When importing, you may be specifying the CSR as the private key (even though the certificate is correct).
You may be importing 2 private keys, one as the certificate file, and the other as the key file.
You may be importing 2 CSR files. When importing keyset files, make sure that you are specifying the correct key and certificate files.

Using SP5 or SP6 128 bit: It is most likely to be a bug found in your Service Pack. Download the Microsoft fix.

keyring.zip

The file is in .zip format.
Please follow these instructions to install it:
1. Unzip the file.
2. All you need is the "keyring.exe" file for your architecture.
3. Stop IIS.
4. Backup your "C:\winnt\system32\inetsrv\keyring.exe" file (rename to old_keyring.exe)
5. Copy the new file to that location. 6.Start IIS and install the certificate.